Risk management for cloud computing deployments

When you consider the recent trends and studies on cloud computing, it’s clear that after the
Internet, it’s the turn of cloud computing to shape the future of computing. The question is no
longer “To cloud or not to cloud”, but more of “when will the shift happen” and “what
processes will shift to the cloud”. In this series of articles, we will endeavor to perform a
complete cloud risk management exercise.

As part of a risk management exercise for cloud computing, it’s important to rank the positive
information security benefits from utilizing cloud infrastructure. Since the largest risks lie on
public cloud fronts (unless mentioned otherwise), all references are only to public cloud
infrastructure.

A background

By its very nature, cloud computing setups have a huge setup in place, which typically comprises
of hundreds (if not thousands) of servers running a wide variety of operating systems, virtualized
platforms and databases. The network will utilize equipment with Gigabit transfer rates and high
end security systems. The data centre is at least a tier 2+, if not a tier 3/4 setup.

What this translates into is:

Specialized personnel: Since the entire business model is based on providing IT
resources, cloud providers can afford to hire and retain the industry’s finest skillsets. This is a
huge boon for many organizations, since they are unable to attract and retain highly skilled
resources.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It’s not rare to see organizations which are able to spend large sums on IT
Infrastructure, but unable to derive due benefits due to lack of skilled resources.

Opex, NOT capex: In many countries, organizations purchasing IT equipments for internal
consumption – “capex - capital expenditure” cannot take immediate tax benefits by writing off
expenditure, but get staggered benefits spread over five years. By employing a cloud provider’s
resources, investments in cloud resources get classified as operational expense (opex), which
results in immediate tax benefits.

Platform support: Many organizations are unable to rollout patches on time, or even
identify the applicable patches due to various reasons like lack of adequate knowledge base, time,
or adequate testing infrastructure. These shortcomings are not there for most cloud providers,
ensuring that the platforms and applications that you use on those cloud setups are adequately up
to date. This is a two edged sword, since this very point has also been observed as a weakness in
certain cloud providers whom we have audited.
Organizations which have fairly mature processes in place ensure aspects like timely internal
system updates and adequate testing. The same cannot be said in a guaranteed manner for cloud
providers due to lack of visibility and transparency. We will cover this aspect in detail with
mitigation strategies in the next installments of this tip.

Backup and recovery: Almost all the organizations that I have worked with in the past 20
years take regular backups. However, very few organizations ever perform regular restoration to
check the working and adequacy of backups, which lead to last minute unpleasant surprises. Cloud
providers have this step pat in place, since the repercussions of a mess-up will be fatal for their
existence. Again, this is a two edged sword dependent on the policies of the cloud provider, which
may or may not be sufficient for your organizational requirements. We will cover mitigation
strategies in detail in the next parts.

Disaster recovery: This is critical for most organizations, but regularly side-stepped
or watered down. Redundancy and disaster recovery capabilities are built into cloud computing
environments. This is a two edged sword dependent on the cloud provider’s policies and
implementation strategy, which may not be sufficient for your organizational requirements.

Thin clients: Since applications and data (in most cases) will reside on the cloud
infrastructure, you will not require powerful laptops and desktops to run your applications. Not
much confidential data will reside on your internal systems, thus cutting down on your information
risk factors. This is again based on the cloud provider’s policies and your implementation
topology.

Power savings:Last year, Pike
Research found that cloud computing could lead to a 38 percent reduction in worldwide data
center energy use by 2020, compared to what the growth of data center energy consumption would be
without cloud computing. Another study
from Microsoft, Accenture and WSP Environment and Energy in 2011 found that moving business
applications to the cloud could cut the associated per-user carbon footprint by 30 percent for
large, already-efficient companies. This figure could be as much as 90 percent for the smallest and
least efficient businesses.

I have exceeded the word count limit for my article, so adieu for now. The upcoming articles
will contain more insights on cloud risk management.

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.